Microsoft’s move towards passwordless technology will kick up a gear from Friday 1 August 2025, when Redmond will implement new measures that in effect force users of its Authenticator application to migrate to passkeys by removing password support and deleting stored passwords
Since the start of June 2025, users of the Authenticator application have lost the ability to add or import new passwords through the app – although until July, they were able to continue saving passwords through autofill.
Since the beginning of July, they have not been able to use autofill with Authenticator and, beginning this week on 1 August, any passwords saved in Authenticator will no longer be accessible.
According to Microsoft, saved passwords – though not generated password history – and addresses will continue to be synced to user’s accounts and remain accessible through the organisation’s Edge browser.
If they have recently logged in, Authenticator users will have been promoted to set up passkeys at that time, but more guidance and next steps are available from Microsoft.
“The authentication landscape has evolved, and we now have better options available across many devices and services, with password managers, passkeys and biometrics all playing their part in reducing the burden and improving protection,” said Steve Furnell, a senior member at the Institute of Electrical and Electronics Engineers (IEEE) and professor of cyber security at the University of Nottingham.
“At the same time, these solutions are far from ubiquitous. Many leading websites still use passwords as the basis for sign-up and it varies whether other options are available or clearly signposted once accounts are set up. Password hygiene has only seen modest improvements and we’ve been addressing the same issues for decades.
“Keychains and autofill features offer some supplementary support by easing the memory burden of remembering multiple passwords. However, they don’t address the underlying bad practice in selecting, sharing and reusing passwords. Password managers can only assist if the features are properly implemented – and despite the availability of new tools, many people still struggle to maintain good password hygiene.”
How passkeys work
Passkeys comprise two separate bits of encrypted information that must be paired to work – like a key and a lock. The first, private part is stored on the user’s device through an authentication app, and the second, public part, is stored with the destination service that has implemented passkey technology.
When a user attempts to log in to this service, it sends a notification to a user’s chosen authenticator app – others besides Microsoft Authenticator are available – on their mobile device.
The user can then use their fingerprint, facial recognition, or a personal identification number (PIN) on their device to unlock the app, which creates an encrypted, private passkey and sends it back to the service, where it is paired with the public key, thus logging the user in without them having transmitted any credential personally identifiable information (PII).
Passkeys do have some drawbacks – they are not available everywhere yet, which means some may struggle to keep up with managing them, and they require users to overcome any discomfort at incorporating biometric verification into their security practice.
Nevertheless, security experts do in general consider them to be much safer than passwords because they eliminate the need for users to memorise lengthy and complex passwords (or worse still, write them down).
Additionally, each newly generated private passkey is unique, so they cannot be reused across multiple services, and because the keys are only stored on the user device and not on the destination service’s infrastructure, they are less vulnerable to phishing attacks or keylogging malwares, and are harder to compromise in a data breach – an attacker who breached the service would only be able to obtain the public key.
A gradual transition
Darren Guccione, CEO and co-founder of Keeper Security, said that the elimination of password support by Microsoft suggests at first glance that the industry was moving rapidly towards normalising passwordless tech, however, rather than heralding anything so dramatic, the transition was proceeding rather more gradually.
“Solutions that can generate and secure traditional passwords remain critical for individuals and organisations alike even as passwordless becomes more widely adopted,” said Guccione.
Citing Keeper’s own research, Guccione said that 40% of organisations today are operating in a hybrid environment in which passwords and passkeys coexist.
“This is more reflective of the current cyber security reality – one in which passkeys offer distinct advantages but in which the infrastructure, user behaviour and systems required for universal adoption are still catching up,” said Guccione.
While this approach does introduce risks, he said, organisations that can strategically layer both passwords and passkeys can mitigate some of these by, for example, prioritising the use of passkeys in sensitive or regulated areas, such as managing privileged access to customer data.
“The end of passwords in one platform doesn’t signal the end of passwords altogether. It’s a slow and gradual transition that necessitates modern and agile security solutions,” said Guccione.